Every guarantee on this site reduces to four structural decisions. They aren’t settings or policies an operator could relax under pressure — they are how the system is built. This page is the deep version, for the people who have to validate it before they sign.
Four kinds of thing can affect the outside world: a record gets written, the model gets called, a fact about location is resolved, an action is taken. Each has exactly one owner in the code — one door every caller must pass through. There is no second path, so there is no way to do any of these things unrecorded or ungoverned.
A record is produced through one owner and appended to the trail before the action it describes takes effect. Records carry their producer, their decision, the evidence they stood on, and their parent — so the full chain of cause and effect is reconstructable.
Nothing rewrites or back-dates a record. A reviewer — or the downstream diagnostic agent that consumes the trail — sees exactly what happened, in order, with no privileged narrator in between.
Mechanical code is permitted to assert only closed facts — things that are simply true or false. Everything requiring judgment is the model’s domain. A guess can never be promoted to a verified fact, because the two layers are not allowed to do each other’s jobs.
Closed facts — true or false, no opinion.
Meaning — never reduced to a checkbox.
In most systems, a verification that never ran is indistinguishable from one that passed — silence reads as success. The doctrine inverts that. If the system cannot affirmatively verify a step, it stops, names the reason on the trail, and routes the decision to a human. A missing check is never treated as a pass, and a verifier is never quietly widened until it stops catching anything.
Grounded. Before a claim is allowed to stand, the owning surface returns to the source and compares it against the real bytes. A value that isn’t present is discarded, and the plan is built from the filesystem that actually exists — never an imagined one.
Governed. Every real-world action is dispatched through one channel with an explicit allow-list. The model may request an action; it never writes its own privileged command, and it never reaches the shell directly.
Yours. All four surfaces run on your infrastructure. The model, the agent, your data, and the trail stay inside your perimeter, with no outbound path.
When a decision genuinely turns on judgment the system isn’t entitled to make, it doesn’t guess and it doesn’t stall forever. It escalates to the operator — once — and that ruling is recorded as evidence and folded into the agent’s lessons, so the same question doesn’t return.
The operator is the final court. The architecture’s job is to make sure the machine only brings them the decisions that genuinely need a person, and to prove it handled everything else correctly on its own.
These four surfaces are identical for every client. What the engagement configures is the domain, the rules, and your definition of correct.
